Scots Firm Says PCI Compliance Essential for E-Commerce Confidence

Multimedia firm Channel 6 has urged all web-based businesses across Scotland to ensure they meet new security regulations for online transactions.

The e-commerce specialist has worked to meet new card security requirements which came into force this month, but says many other online retailers could be caught out because of lack of awareness about the changes.

Larger retailers have long had to meet rigorous PCI standards, but smaller online retailers have only been obliged to comply since October 1.

Under the new rules, merchants processing fewer than 20,000 e-commerce card transactions a year could now face a block on payments or risk substantial fines if they do not meet the new requirements.

Experts at Channel 6, one of Scotland’s leading developers of e-commerce websites, have advised online retailers the measures are a good way of securing customer confidence and business reputation.

Kate Little, business development director with Channel 6, said: “The bottom line is, consumers are becoming increasingly aware of the importance of security when making online payments.

“This month’s changes mean more companies must now be PCI compliant. This is good because meeting these rigorous international card security standards can safeguard businesses and customers from fraud.

“These are vital issues, yet there has been very little publicity of the new PCI obligations, which means many people may not realise what they are required to do.

“We’ve taken the steps we can, and passed on information to our customers. However, across Scotland we suspect there may still be many smaller businesses which don’t even know these new security measures exist.”

New Rules

Glasgow-based Craig Armour, a senior manager for business advisory firm Deloitte’s security, privacy and resilience team, agreed: “There is still a lot of ignorance of PCI compliance in the industry – the message still hasn’t got out there quite yet.

“Many merchants, who are newly obliged to demonstrate PCI compliance since this October, are not aware of the standard or are unsure about what it means for them.

“Experience has taught us that relevant authorities – such as the Financial Services Authority and the card industry – are likely to take a very hard approach to firms who are not PCI compliant in the event of a data breach.”

Banks are responsible for policing key areas of PCI compliance, which include protecting stored cardholder data, encrypting transfer of card data across public networks and developing and maintaining secure systems.

An HSBC Merchant Services spokesman explained non-compliant firms could face hefty fines from card companies like Visa and MasterCard in the event where customers’ data security was breached.

He added: “These fines are potentially unlimited and could run into hundreds of thousands of pounds. Compliance with PCI DSS does not entirely remove this risk, but it does significantly reduce your exposure to this risk.”

Suprise Costs

Kate urged online businesses which have not yet addressed the issue to take the initiative now to avoid surprise costs later.

She added: “We know from our own experience that this can be a difficult job. We have had to ensure our own servers are all compliant and that involved bringing in external consultants and weeks of work.

“However, this completed work means that more than 50 of our online clients which use our web servers can now assure customers they are meeting the highest international standards to keep sensitive personal card data secure.”

Kate advised many e-commerce sites may need little more than a simple scan and a few basic updates which they may be able to do themselves or through their banks, IT support firms or computer security specialists.

She added: “Some older sites may need to be rebuilt, but at least if the owners know that they can start planning now and avoid unpleasant shocks later.

“We operate in the e-commerce sector, and it is in our best interests and all businesses in this arena to know about and comply with the new rules.”

Bob Russo, general manager of the PCI Security Standards Council said: “The PCI Security Standards Council encourages all businesses that store payment account data to comply with the PCI DSS to help lower their brand and financial risks associated with account payment data compromises.”